tags:

views:

662

answers:

3
Q: 

How does codeigniter's form validation library handle xss filtering?

The codeigniter form validation library provides the option to 'prep' data from a form that is being validated. The following is a snippet from the documentation:

$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');

The xss_clean parameter at the end supposedly passes the post data through the xss_clean function.

I am wondering how then do I use the POST data 'username'? Did the xss_clean function act directly on the POST variable so that I may then do: $username = $this->input->post('username'); and actually get the filtered data? What if I place that last statement before the validation line: will $username contain unfiltered data in this case? Thanks.

A: 

from the user guide

"If anything disallowed is encountered it is rendered safe by converting the data to character entities"

so yes, after running $this->input->post('username') through the form validation with the xss option set any dirty data will come out clean.

and yes, if you place that statement before the validation line it will not be cleaned.

note that you can run xss globally on all form submitted data so that you don't need to include it in your validation rules.

stef  2009-08-13 09:06:18
A: 

I would highly recommend looking through system/libraries/Input.php You can see exactly how the work is done in there.

I always recommend turning the global xss_clean on. There is very little impact on performance, unless you are not checking for xss on some fields, purposely.

Zack  2009-08-18 14:08:34
+1  A: 

The validation does xss clean, but it has nothing to do with $this->input->post('username'). That line right there will xss clean automatically, completely independent of your validation stuff (assuming you have global xss filtering on). As a matter of fact, I'm willing to bet that doing both will actually xss clean it twice, because I'm pretty sure that validation just creates a copy of the array..it doesn't actually modify $_POST.

But as I said, if you're accessing it by $this->input->post('username'), it will be cleaned regardless.

ryeguy  2009-09-10 13:03:25

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases